Product and Security Advisories

To assist customers in their long-term planning, Absolute is providing the following advisories concerning Secure Access and Insights for Network (formerly Mobility and Mobile IQ)

Secure Access

Updates regarding support for Mobility v11.x, Android 7, and SHA-1 certificates.

Mobility v11x:
As previously announced, End of Life (EoL) for all Mobility v11.x servers and clients will occur on February 29, 2024. Customers running these versions with active maintenance agreements expiring after February 29, 2024, will have access to technical support. However, any defects, operating platform updates or security fixes will only be resolved by upgrading to the current software version.

Android 7:
Releases of Secure Access after January 1, 2024, will no longer support Android 7. Customers running supported versions of Mobility or Secure Access that currently support Android 7 will have access to technical support. However, any defects, platform updates, or security fixes will only be available by upgrading to the current software version. Customers with devices running Android 7 are strongly advised to consult their hardware vendors for upgrades to more modern versions of Android.

SHA-1:
Major versions of Absolute Secure Access released after January 1, 2024 will discontinue support for SHA-1 certificates. SHA-1 certificates were sometimes used by older RADIUS authentication solutions and are widely known to be vulnerable to brute force attacks. Customers are strongly advised to upgrade and/or reconfigure their authentication and RADIUS servers to use SHA-2 certificates, which will be required by Secure Access clients or servers going forward.

Insights for Network

Updates regarding Mobile IQ v2.x, Mobile IQ v3.x, and Insights for Network v4.x End of Life (EoL) dates.

End of Life for Mobile IQ v2.x
As previously announced, End of Life (EoL) for all Mobile IQ v2.x will occur on February 29, 2024. Customers running these versions with active maintenance agreements expiring after February 29, 2024, will have access to technical support. However, any defects, operating platform updates or security fixes will only be resolved by upgrading to the current software version.

End of Life for Mobile IQ and Insights for Network v3.x
To assist customers in their long-range planning, Absolute Software is providing customers with advance notice of the end of life (EOL) for the following products:

• Mobile IQ v3.x
• Insights for Network v3.x

Customers running Mobile IQ v3.x or Insights for Network 3.x should plan to migrate to the latest versions. We will no longer provide support for Mobile IQ v3.x or Insights for Network v3.x after November 18, 2024.

Lifecycle for Insights for Network v4.x and following releases
To assist customers in their long-range planning, Absolute Software is providing customers with advance notice of a revised End of Life (EoL) schedule for Insights for Networks version (4.x) and following.

• The most current versions of Insights for Network, v4.0 and following, and all future versions will reach EoL twenty-four (24) months from release of each specific version.  Example:  Insights for Network v4.0 will EOL July 12, 2025. Version 4.01, released on August 31, 2023 will be EoL on August 31, 2025.

For assistance in migration, please contact:

• Support: [email protected]
• Sales: [email protected]

To assist customers in their long-range planning, Absolute Software is providing advance notice of End of Sale (EoS) and End of Life (EoL) for NetMotion Mobility v11.x and NetMotion Mobile IQ v2.x.

 End of Sale (EoS) will occur after June 30, 2023 for Mobility v11.x servers and clients and Mobile IQ v2.x. After June 30, customers will only be able to purchase subscription licenses for newer versions of the software.

End of Life (EoL) will occur after February 29, 2024 for Mobility v11.x servers and clients, and Mobile IQ v2.x server. Customers running these versions with active maintenance agreements expiring after February 29, 2024 will continue to receive technical support. However, any defects, operating platform updates or security fixes will only be resolved by upgrading to the current software version.

Customers should plan to migrate to the latest software versions well before February 29, 2024.

To assist customers in their long-range planning, we are providing advanced notification that we will discontinue Mobility client support for Microsoft Windows 8.1 on January 10, 2023.  

Microsoft previously announced that after January 10, 2023, they will no longer offer technical support, software updates, or security updates for Windows 8.1. While Windows 8.1 will continue to work, it will become progressively less secure. Customers who continue running Windows 8.1 after January of 2023 do so at their own risk. As a reminder, Microsoft’s Mainstream Support program for Windows 8.1 ended in January 2018. 

After November 2022, we will only release new features and fixes for Windows clients running Windows 10 or Windows 11. Customers will be required to upgrade their client to a supported operating system to receive new features and bug fixes.  

Customers who require Windows 8.1 support may continue to run Mobility 12.5x clients. 

Absolute is actively responding to the reported remote code execution vulnerability in the Apache Log4j2 Java library dubbed Log4Shell (or LogJam). We have investigated and taken action for the Absolute Visibility, Control and Resilience products that utilize Log4j2. No other Absolute or NetMotion products are impacted.

April 22,2021: To assist customers in their long-range planning, NetMotion Software is providing advanced notification of our plan to discontinue development for all clients supporting Microsoft Windows version 8.1, Apple iOS version 12, and Apple macOS version 10.14. After April 1, 2022, we will no longer provide new features or patches for clients running on these platforms. 

Technical support will continue to be available to all customers with current maintenance agreements for all versions of our products running on Windows 8.1, iOS 12 and macOS 10.14 through the end-of-life of the applicable NetMotion product version.

For further information or if you need to speak with our sales and technical support representatives, visit our website at www.netmotionsoftware.com or call (206) 691-5555.

Summary:

On November 19, 2020, NetMotion alerted customers to security vulnerabilities in the Mobility web server and released updates for Mobility v11.x and v12.x to address them.

The CVSS 3.1 base score for these vulnerabilities is 8.1 (High)

The vulnerabilities were fixed in versions Mobility v11.73 and v12.02, which were released on November 19, 2020. Customers should upgrade immediately to these or later versions. 

Download the updated versions of Mobility servers from the NetMotion customer portal, or contact support for assistance. Consult the Mobility v11.73 and v12.02 or later documentation for guidance on securely configuring your Mobility deployment. 

In addition, customers should verify that their Mobility servers are behind a commercial firewall and that only the VPN port is exposed to untrusted networks. The default port for the VPN is UDP 5008.  If you have changed the default VPN port, ensure that only the VPN port is exposed.  

Details

Prior to Mobility v11.73 and v12.02, attackers with access to the Mobility web server, which hosts the Mobility management console and some inter-server communications processes, could exploit Java deserialization vulnerabilities. Successful exploitation results in remote code execution with system privileges without prior authentication. Customers who have followed NetMotion’s recommendations for secure deployment are only vulnerable to this attack from inside their protected network where the Mobility web server is deployed. 

Mobility v11.73 and v12.02 fixed these vulnerabilities and mitigated future exploitation of this class of attack by implementing a safe Java object reader and cryptographic validation of input prior to deserialization where appropriate.

NetMotion thanks SSD Disclosure for their professionalism in bringing these vulnerabilities to our attention, working with us under the principles of responsible disclosure, and ensuring that our customers had an opportunity to update their systems prior to releasing any details.

For more details on these vulnerabilities, visit SSD Disclosure. https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/

CVE-2021-26912

CVE-2021-26913

CVE-2021-26914

CVE-2021-26915

CVSS 3.1 Vector String: 

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

NetMotion Software is providing customers with advance notice of the end of life (EOL) for the following:

• NetMotion Mobility v10.x servers and clients
• NetMotion Mobile IQ v1.x server
• NetMotion Diagnostics v4.x 
• NetMotion Mobility Analytics module

Customers running Mobility v10.x or Mobile IQ v1.x should plan to migrate to the latest versions. We will no longer provide support for Mobility v10.x or Mobile IQ v1.x after September 1, 2021.

Customers running NetMotion Diagnostics should contact their account manager for assistance migrating to the new NetMotion platform, which includes Diagnostics functionality. We will no longer support the Diagnostics product after September 1, 2021.  

Analytics Module functionality (alerting, data storage, and data visualization) is part of the new NetMotion platform. Customers running the Mobility v11.x Analytics module will receive operational and configuration support for the service life of Mobility 11, but we will not provide software updates or patches for the Mobility Analytics module after September 1, 2021. 

The Microsoft Windows 10 ‘Spring Update’ is expected to adversely impact the Mobility Single Sign-on (SSO) feature for Windows 10 clients. In anticipation of the Windows 10 Spring Update, NetMotion is releasing the Mobility 11.71 Windows client to ensure that SSO works properly after applying the Windows 10 Spring Update.

NetMotion recommends that administrators test and deploy the Mobility 11.71 client to their Windows 10 systems prior to installing the Windows 10 Spring Update to ensure that SSO continues to work as expected after the Spring Update is installed.

On January 28, 2020 Apple released iOS update 13.3.1. New restrictions introduced in the update adversely affect the biometric support introduced in Mobility version 11.50. NetMotion is releasing Mobility 11.72 for iOS—disabling biometric support as a temporary fix to prevent users from experiencing connectivity problems until Apple resolves the issue or a workaround can be implemented. Note: 11.72 for iOS is narrowly targeted at iOS biometric support. It does not change VPN authentication.

As an administrator, you have two options depending on whether you want to upgrade to the latest version of iOS, or if you want to maintain biometric support.

• If you want to continue to use iOS biometrics on your clients, you must not upgrade these devices to iOS 13.3.1. Additionally, you must not install the Mobility 11.72 iOS client, which disables support for iOS biometrics to prevent connectivity problems.
• If you must upgrade your devices to iOS 13.3.1, or you cannot control how users upgrade their devices, then NetMotion recommends that you disable the Mobility setting “Authentication – Biometrics” and install the Mobility 11.72 iOS client prior to upgrading to iOS 13.3.1.

Users with Mobility devices already running iOS 13.3.1 that are also configured for biometrics (Touch ID or Face ID) via the Mobility setting “Authentication – Biometrics” may receive a notice that “Biometric authentication is required for connection [Reason 150]”; in this case the client will not connect to the Mobility server. The only way to connect after experiencing this error is to do one of the following

• Upgrade the client to Mobility 11.72
• Change the global client setting  “Authentication – Biometrics” in the Mobility console (Configure > Client Settings) to “Do not use biometrics” and create a new VPN Profile on the client, either in the Mobility client interface or by pushing a new profile to a client using a Mobile Device Management (MDM) system. 

On January 14, 2020 Microsoft and the NSA released information regarding vulnerabilities in Microsoft cryptographic libraries that are part of Windows 10, Windows Server 2016, and Windows Server 2019.

In the advisory, the NSA describes how cryptographic libraries in Windows operating systems could be fooled into believing that cryptographically signed data is genuine when it is not. In particular, the NSA called out “HTTPS connections, signed files and emails, and signed executable code” as possible vectors for attack. These vulnerabilities have been patched by Microsoft in the January 14, 2020 Security Update.  The NSA and Microsoft strongly recommend that administrators of vulnerable systems rapidly test and deploy the January 14 patches.

NetMotion products are not directly affected by these vulnerabilities. NetMotion has tested the Microsoft security updates on the affected Windows operating systems and found no compatibility issues. We strongly encourage administrators of NetMotion products to test and deploy the latest Microsoft security updates to all systems running on Windows 10, Windows Server 2016 and Windows Server 2019.

To assist customers in their long-range planning, NetMotion Software is providing advanced notification that we will discontinue support for Microsoft Windows 7 on January 14, 2020. 

Microsoft previously announced that after January 14, 2020, they will no longer offer technical support, software updates, or security updates for Windows 7. While Windows 7 will continue to work, it will become progressively less secure. Customers who continue using Windows 7 after January of 2020 do so at their own risk. As a reminder, Microsoft’s Mainstream Support program for Windows 7 ended in January 2015.

Beginning in January 2020, NetMotion will only release new features and fixes for Windows clients running Windows 8.1 or Windows 10. Customers will be required to upgrade their client to a supported operating system to receive new features and bug fixes. 

NetMotion currently supports Windows 7 clients on Mobility version 10.0 through version 11.7x. 

To assist customers in their long-range planning, NetMotion Software is providing advanced notification of our plan to discontinue development for Microsoft Windows Server 2012 R2 for Mobility and Diagnostics.

To assist customers in their long-range planning, NetMotion Software is providing advanced notification of our plan to discontinue development for Microsoft Windows Server 2012 R2 for Mobility and Diagnostics.

Technical support will continue to be available to all customers under maintenance for all versions of our products running on Server 2012 R2 through the end-of-life of that version (typically three years after the release date).

For further information or if you need to speak with our sales and technical support representatives, visit our website at www.netmotionsoftware.com or call (206) 691-5555.

On systems running macOS 10.14.4, Mobility clients can terminate and restart when roaming between networks (for example: wired to wireless network, different wireless networks, LAN to WAN, and so on). The Mobility client mitigates this by automatically reconnecting (if configured), but you may notice a service interruption while roaming. This issue does not occur on macOS 10.14.3 and earlier and is fixed in macOS 10.15.x (Catalina). Please contact support for more information.

Upgrading to the Windows 10 Fall 2018 release requires that you also upgrade to the Mobility v11.43 client. Microsoft is releasing their Fall update to Windows 10 (v1809). The Mobility v11.43 client for Windows fixes compatibility issues with the Windows 10 network location awareness (NLA) feature in Windows 10 v1809. Without the updated Mobility client, any application that uses this feature will malfunction, including the Edge browser and many Windows system apps. Windows 10 devices running Microsoft’s fall release must install Mobility v11.43 to avoid these issues. See Known and Resolved Issues for details.

Summary: As is true of many other software companies, NetMotion has discovered all current versions of the Mobility client are incompatible with some upcoming updates to Windows. Though not part of the initial Spectre and Meltdown updates, when these Windows updates are applied, systems running any Mobility client for Windows prior to 11.32 will not operate as expected. You MUST upgrade to Mobility v11.32 before applying them. Do not delay.

Advisory: Current versions of Mobility are fully compatible with the initial round of Microsoft’s Spectre and Meltdown updates. We expect that Microsoft will release more patches addressing these vulnerabilities; we will keep you informed as to whether they will affect your NetMotion deployment. In the wake of the initial round of patches, we learned that Microsoft’s Windows 10 Spring release is incompatible with all current versions of the Mobility client. In the past, the Spring release has been available in the March timeframe but with the current situation involving Spectre and Meltdown, we cannot be sure these releases will not happen sooner. We expect the updates to Windows 8 and 7 will also be incompatible. We are releasing v11.32 clients for all Windows platforms to address the incompatibility.

If you apply the upcoming Windows update, systems running any Mobility client for Windows prior to 11.32 will not operate as expected. Because we don’t know precisely when Microsoft will release the updates, you must upgrade your Windows systems to Mobility v11.32 as soon as possible. Do not delay.

• NetMotion customers with current maintenance or subscription contracts can download the updated clients from our software download portal.
• If you are running Mobility 10.51 or greater on both client and server, you can upgrade your clients hands free with our easy to use over-the-air update feature. Click here to learn more.

There is a known issue where authentication fails on Microsoft’s NPS RADIUS server after installing patch KB4034681, KB4025335 or KB4034663. Please contact your NetMotion account manager for additional information.  

After June 30, 2017, Diagnostics servers prior to v4.10 may not correctly display coverage maps, device maps, and client report mini-maps. Earlier Diagnostics server versions will continue to collect and store location data and display reports, but due to changes with Microsoft Bing Maps, maps may not display properly after June 30, 2017.

If you encounter problems where maps do not display after that date, upgrade to Diagnostics v4.10. Technical Support can assist customers who want to upgrade their Diagnostics systems. For assistance planning your upgrade, or for any further questions, please contact us.

After December 31, 2017, NetMotion Software will no longer provide support for Diagnostics v2.x servers and clients. Customers running Diagnostics 2.x systems should upgrade to Diagnostics v4.10 or later. For a current list of supported operating systems and versions, see the Supported Operating Systems page.  

Effective March 2017, NetMotion Software has stopped developing and testing its software products on the following platforms:

• Microsoft Windows Server 2008 R2
• Microsoft Windows Server 2012 (Windows Server 2012 R2 continues to be supported)
• Apple iOS v9.x
• Google Android v4.0 through 4.3

NetMotion products that support these operating systems continue to be supported until the product’s published end-of-life, but maintenance releases, feature releases, and major versions of NetMotion Software will not support them.

• Customers with a current maintenance agreement will continue to receive full support for NetMotion products until the product version they are running has reached end-of-life.
• We encourage customers running our solutions on any of these operating systems to upgrade.
• Technical Support can assist customers who want to upgrade to a newer, supported operating system. For assistance planning your migration, or for any further questions, please contact us.

Mobility 10.72 for iPhone and iPad is supported on both iOS 9 and 10. Administrators should upgrade to Mobility 10.72 before October 10, 2016, as this is when NetMotion plans to release Mobility 11 for iPhone and iPad, which supports only iOS 10 and later; most upgrades from Mobility 10.72 to Mobility 11 are expected to be trouble-free.

Administrators should be aware of important issues surrounding licensing, certificate handling, and support for iOS 9 that may arise with the release of Mobility 11, and take appropriate steps to prepare for the transition. Full details of the issues and procedures for managing the upgrade process are described here.